All Apps and Add-ons

Splunk DUO connector which can support v2 auth logs

lim2
Communicator

Per DUO support, Splunk DUO connector 1.1.6b and 1.1.6 do not support v2 auth logs; therefore, the connector won't be able to pull those 2FA device IP's in the logs. When will the updated Splunk DUO connector which can support v2 auth logs be available? Thanks.

0 Karma

tnewell419
New Member

Not officially supported, but confirmed working

While not officially supported, you can make this happen with 2 simple edits to duo_input.py in $SPLUNK_HOME/etc/apps/duo_splunkapp/bin/ (this path may be different in your environment). This works on the publicly available 1.1.6 app downloaded directly from Splunkbase. There is also a hidden Dashboard page available https://yoursplunkenvironment/en-US/app/duo_splunkapp/duo_auth_dash_2. Would love to hear if this works for anyone.

Line 11 should be changed.
From: logclasses.paginated_authentication_log import PaginatedAuthenticationLog
To: from logclasses.paginated_authentication_log_v2 import PaginatedAuthenticationLogv2

Line 360 should be changed.
From: PaginatedAuthenticationLog,
To: PaginatedAuthenticationLogv2,

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...